Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Slides:



Advertisements
Similar presentations
Chapter 10 Accounting Information Systems and Internal Controls
Advertisements

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
The Islamic University of Gaza
Security Controls – What Works
Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc.
ProCognis SOX 404 & COSO Implementation Presentation
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
1 Managing IT Vulnerabilities Information Security Management Sasha Romanosky October 08, 2009.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Vulnerability Assessments
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Information Technology Audit
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
SEC835 Database and Web application security Information Security Architecture.
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
HOTLINE: The Value of internal Audit at Georgia Tech 1 Department of Internal Auditing.
Service Transition & Planning Service Validation & Testing
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Change and Patch Management Controls
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Global Technology Auditing Guide 3 Presented by Melanie Cloran.
Scott Charney Cybercrime and Risk Management PwC.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Financial Accounting- BUS Spring 2015 Session 11 Fraud, I/C and Cash.
SecSDLC Chapter 2.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Critical Security Controls
Data Architecture World Class Operations - Impact Workshop.
Compliance with hardening standards
Transforming IT Management
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Making Information Security Actionable with GRC
SERVICENOW GOVERNANCE, RISK, AND COMPLIANCE
IBM GTS Storage Security and Compliance overview.
Cyber Security in a Risk Management Framework
V1.1 1.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
The state of digital supplier risk management: In partners we trust
Crown Jewels Risk Assessment: Cost-Effective Risk Identification
Presentation transcript:

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk. Networks exposed to attackers, Viruses, Worms Inadequate password management, Weak cryptography Inappropriate access to files, Misconfigured applications Vulnerability management is the processes and technologies that an organization employs to identify, assess, and remediate vulnerabilities.

Regulations  Sarbanes-Oxley Act of 2002  U.S. Federal Financial Institution Examination Council  Canadian and Japanese versions of SOX

Vulnerability Management Lifecycle

Assess Risk and Prioritize Identify and Validate Scope Systems Detect Vulnerabilities Validate Findings Assess Risks Prioritize Vulnerabilities

Continually Improve Remediation Mitigate Critical Vulnerabilities Create a Vulnerability Mitigation Process Stop the Spread Set Expectations With an Operational Level Agreement (OLA) Achieve Efficiency Through Automation Use Past Experience to Guide Future Actions

How To Identify High and Low Performers High Performers have effective vulnerability management processes have efficient processes that detect vulnerabilities almost in real time promote secure configurations Low Performers Have inefficient vulnerability detection and management processes Do not detect vulnerabilities Do not keep track of their IT assets

Metrics MetricDescription Percent of total systems monitored or scanned.This measures the completeness of an organization’s vulnerability management solution, whether it has awareness of all or some of its systems, and whether it is monitoring them. Number of unique vulnerabilitiesThis measures the amount of variance and risk [1] that exists among systems. Percent of total systems that are subject to a configuration management process This measures the degree to which an organization has control over devices that are placed on its network. For instance, is the organization aware of every new device? Is each device configured with appropriate patch management and security controls? Percent of all detected vulnerabilities that have been validated.This metric measures the percentage of all vulnerabilities that have been validated or prioritized. This metric serves to highlight the difference between organizations that simply gather data and those that act on data. Mean time to remediate a vulnerability.This measures the efficiency of an organization in remediating vulnerabilities. Percentage of actionable vulnerabilities fixed within a predetermined time period. This metric measures the organization’s ability to remediate the vulnerabilities it deems worthy of fixing. “Actionable” refers to the difference between all vulnerabilities and those that need to be fixed. Percentage of OLAs where performance targets have been achieved. This metric measures the effectiveness of the OLAs the organization has set for itself and for other groups. Percentage of the IT Security organization’s time spent on unplanned work. This is a measure of how effective the organization is at implementing quality changes to IT assets, and how little time it spends reacting to failed changes or security incidents. Number of security incidents.This metric measures the number of compromises to the confidentiality, integrity, or availability of an organization’s IT assets. Impact of security incidents.This metric measures, to the best extent possible, total dollar losses due to security incidents. This includes time and costs involved in investigating and correcting the incident and the impact to the business.

Top 10 Questions CAEs Should Ask About Vulnerability Management 1.What percent of total systems are monitored or scanned? 2.How many unique vulnerabilities exist in your enterprise? 3.What percent of systems are managed? 4.What percent of vulnerabilities have you validated? 5. What is the mean time to remediate a vulnerability 6.What percentage of actionable vulnerabilities were remediated in the past quarter? 7.What percent of your OLAs are met? 8.What percent of IT Security work is unplanned? 9.How many security incidents have you experienced during the past quarter? 10.What was the average cost of your last five security incidents?

Vulnerability Resources for the Internal Auditor 1. Common Vulnerability Scoring System (CVSS) 2. IIA Practice Advisory Information Security 3. ISO/IEC The Laws of Vulnerabilities 5. National Vulnerability Database (NVD) 6. SANS Top Vulnerability Scanners

Conclusion Auditors must have an effective vulnerability management program. They must design a process to detect, assess, and mitigate vulnerabilities on a continual basis. These tasks need to be integrated into the overall IT process framework and IT controls over financial accounting.